feat(oidc): add oidc support

\# Example
1. Create OIDC app
just for the reference, gitlab_application is server wide and not ideal for use e.g. on gitlab.com, there's no support for the group applications
```tf
resource "gitlab_application" "fridges_list" {
  name         = "gitlab-app"
  redirect_url = "www.example.com"
  scopes = [
    "openid",
    "read_user",
    "profile",
    "email",
  ]
}
```

2. use module
```tf
module "static_site" {
  source  = "cookielab/static-site/aws"
  version = "4.9.0"

  providers = {
    aws           = aws
    aws.us_east_1 = aws.vir
  }

  domains        = ["www.exmaple.com"]
  domain_zone_id = "aws_route53_zone.example_com.zone_id"
  s3_bucket_name = "example-com-web"

  gitlab_project_id  = data.gitlab_project.app_fridges_list.id
  gitlab_environment = var.environment

  enable_deploy_role = true
  enable_deploy_user = false

  oidc = [
    { # first oidc provider
      application_name = "gitlab"
      application_id   = gitlab_application.gitlab_application.application_id
      client_secret    = gitlab_application.gitlab_application.secret
      auth_url         = "https://gitlab.com/oauth/authorize"
      token_url        = "https://gitlab.com/oauth/token"
    },
    { # second oidc provider
      application_name = "second"
      application_id   = "second-oidc-app-id"
      client_secret    = "second-oidc-client-secret"
      auth_url         = "https://another-oidc-provicer.example.com/oauth/authorize"
      token_url        = "https://another-oidc-provicer.example.com/oauth/token"
    }
  ]
```

Then https://www.example.com/?auth=APPLICATION_NAME forces auth with specified provider, e.g.:
- https://www.example.com/?auth=gitlab
- https://www.example.com/?auth=second

This is messy. Perhaps we can get along with a single OIDC auth for the application or if no session cookie is present redirect to a url hosted on s3 bucket with constructed html from the oidc list.
```
<h1>Choose authentication method</h1>
<ul>
  <li>
    <a href=/?auth=gitlab>gitlab</a>
  </li>
  <li>
    <a href=/?auth=second>gitlab</a>
  </li>
</ul>
```

fmt

cleanup

review: update lambda engine version nodejs18.x -> nodejs22.x

replace apigateway with lambda_function_url

update docs + fix duplicate blocks of outdated documentation due to missing BEGIN_TF_DOCS comment

review

parametrize session_duration per provider, fix cookie domain

comment sensitive log messages in lambdas

Author: jindraj

README.md

@@ -24,93 +24,40 @@ module "static-site" {
 }
 ```
 
-## Requirements
-
-| Name                                                                     | Version       |
-| ------------------------------------------------------------------------ | ------------- |
-| <a name="requirement_terraform"></a> [terraform](#requirement_terraform) | >= 1.1, < 2.0 |
-| <a name="requirement_aws"></a> [aws](#requirement_aws)                   | ~> 4.32       |
-
-## Providers
-
-| Name                                             | Version |
-| ------------------------------------------------ | ------- |
-| <a name="provider_aws"></a> [aws](#provider_aws) | ~> 4.32 |
-
-## Modules
-
-| Name                                                                 | Source                              | Version |
-| -------------------------------------------------------------------- | ----------------------------------- | ------- |
-| <a name="module_certificate"></a> [certificate](#module_certificate) | terraform-aws-modules/acm/aws       | 4.3.1   |
-| <a name="module_gitlab"></a> [gitlab](#module_gitlab)                | ./modules/gitlab                    | n/a     |
-| <a name="module_s3_bucket"></a> [s3_bucket](#module_s3_bucket)       | terraform-aws-modules/s3-bucket/aws | 3.6.0   |
-
-## Resources
-
-| Name                                                                                                                                                        | Type        |
-| ----------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- |
-| [aws_cloudfront_distribution.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution)                     | resource    |
-| [aws_cloudfront_origin_access_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_origin_access_identity) | resource    |
-| [aws_iam_access_key.deploy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key)                                     | resource    |
-| [aws_iam_user.deploy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user)                                                 | resource    |
-| [aws_iam_user_policy.deploy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy)                                   | resource    |
-| [aws_route53_record.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record)                                       | resource    |
-| [aws_iam_policy_document.bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document)                 | data source |
-| [aws_iam_policy_document.deploy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document)                        | data source |
-
-## Inputs
-
-| Name                                                                                                | Description                                                                | Type           | Default            | Required |
-| --------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------- | -------------- | ------------------ | :------: |
-| <a name="input_cloudfront_price_class"></a> [cloudfront_price_class](#input_cloudfront_price_class) | n/a                                                                        | `string`       | `"PriceClass_100"` |    no    |
-| <a name="input_domain_zone_id"></a> [domain_zone_id](#input_domain_zone_id)                         | The ID of the hosted zone for domain                                       | `string`       | n/a                |   yes    |
-| <a name="input_domains"></a> [domains](#input_domains)                                              | List of domain aliases. You can also specify wildcard eg.: `*.example.com` | `list(string)` | n/a                |   yes    |
-| <a name="input_gitlab_environment"></a> [gitlab_environment](#input_gitlab_environment)             | n/a                                                                        | `string`       | `"*"`              |    no    |
-| <a name="input_gitlab_project_id"></a> [gitlab_project_id](#input_gitlab_project_id)                | n/a                                                                        | `string`       | `null`             |    no    |
-| <a name="input_logs_bucket"></a> [logs_bucket](#input_logs_bucket)                                  | n/a                                                                        | `string`       | `null`             |    no    |
-| <a name="input_s3_bucket_name"></a> [s3_bucket_name](#input_s3_bucket_name)                         | n/a                                                                        | `string`       | n/a                |   yes    |
-| <a name="input_tags"></a> [tags](#input_tags)                                                       | n/a                                                                        | `map(string)`  | `{}`               |    no    |
-
-## Outputs
-
-| Name                                                                                                                          | Description |
-| ----------------------------------------------------------------------------------------------------------------------------- | ----------- |
-| <a name="output_aws_access_key_id"></a> [aws_access_key_id](#output_aws_access_key_id)                                        | n/a         |
-| <a name="output_aws_cloudfront_distribution_id"></a> [aws_cloudfront_distribution_id](#output_aws_cloudfront_distribution_id) | n/a         |
-| <a name="output_aws_s3_bucket_name"></a> [aws_s3_bucket_name](#output_aws_s3_bucket_name)                                     | n/a         |
-| <a name="output_aws_secret_access_key"></a> [aws_secret_access_key](#output_aws_secret_access_key)                            | n/a         |
-
 <!-- BEGIN_TF_DOCS -->
 ## Requirements
 
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5, < 2.0 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.27 |
-| <a name="requirement_gitlab"></a> [gitlab](#requirement\_gitlab) | >= 15.7, < 18.0 |
+| <a name="requirement_gitlab"></a> [gitlab](#requirement\_gitlab) | >= 15.7, < 19.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 5.27 |
-| <a name="provider_gitlab"></a> [gitlab](#provider\_gitlab) | >= 15.7, < 18.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.61.0 |
+| <a name="provider_gitlab"></a> [gitlab](#provider\_gitlab) | 17.2.0 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_certificate"></a> [certificate](#module\_certificate) | terraform-aws-modules/acm/aws | 5.1.1 |
+| <a name="module_certificate"></a> [certificate](#module\_certificate) | terraform-aws-modules/acm/aws | 5.2.0 |
 | <a name="module_gitlab"></a> [gitlab](#module\_gitlab) | ./modules/gitlab | n/a |
-| <a name="module_s3_bucket"></a> [s3\_bucket](#module\_s3\_bucket) | terraform-aws-modules/s3-bucket/aws | 4.8.0 |
+| <a name="module_oidc"></a> [oidc](#module\_oidc) | ./modules/oidc | n/a |
+| <a name="module_s3_bucket"></a> [s3\_bucket](#module\_s3\_bucket) | terraform-aws-modules/s3-bucket/aws | 4.11.0 |
 
 ## Resources
 
 | Name | Type |
 |------|------|
+| [aws_cloudfront_cache_policy.oidc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_cache_policy) | resource |
 | [aws_cloudfront_distribution.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution) | resource |
 | [aws_cloudfront_origin_access_control.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_origin_access_control) | resource |
 | [aws_cloudfront_origin_access_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_origin_access_identity) | resource |
+| [aws_cloudfront_origin_request_policy.oidc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_origin_request_policy) | resource |
 | [aws_cloudfront_response_headers_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_response_headers_policy) | resource |
 | [aws_iam_access_key.deploy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key) | resource |
 | [aws_iam_role.deploy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
@@ -158,6 +105,7 @@ module "static-site" {
 | <a name="input_logs_bucket_domain_name"></a> [logs\_bucket\_domain\_name](#input\_logs\_bucket\_domain\_name) | n/a | `string` | `null` | no |
 | <a name="input_max_ttl"></a> [max\_ttl](#input\_max\_ttl) | Maximum amount of time that you want objects to stay in a CloudFront cache | `number` | `86400` | no |
 | <a name="input_min_ttl"></a> [min\_ttl](#input\_min\_ttl) | Minimum amount of time that you want objects to stay in a CloudFront cache | `number` | `0` | no |
+| <a name="input_oidc"></a> [oidc](#input\_oidc) | List of OIDC providers | <pre>list(object({<br/>    application_name = string<br/>    application_id   = string<br/>    client_secret    = string<br/>    auth_url         = string<br/>    token_url        = string<br/>    session_druation = optional(number, 12 * 3600)<br/>  }))</pre> | `[]` | no |
 | <a name="input_origin_path"></a> [origin\_path](#input\_origin\_path) | Cloudfront origin path | `string` | `""` | no |
 | <a name="input_override_status_code_403"></a> [override\_status\_code\_403](#input\_override\_status\_code\_403) | Override status code for 403 error | `number` | `403` | no |
 | <a name="input_override_status_code_404"></a> [override\_status\_code\_404](#input\_override\_status\_code\_404) | Override status code for 404 error | `number` | `200` | no |
@@ -182,5 +130,6 @@ module "static-site" {
 | <a name="output_aws_s3_bucket_name"></a> [aws\_s3\_bucket\_name](#output\_aws\_s3\_bucket\_name) | n/a |
 | <a name="output_aws_s3_bucket_regional_domain_name"></a> [aws\_s3\_bucket\_regional\_domain\_name](#output\_aws\_s3\_bucket\_regional\_domain\_name) | n/a |
 | <a name="output_aws_secret_access_key"></a> [aws\_secret\_access\_key](#output\_aws\_secret\_access\_key) | n/a |
+| <a name="output_oidc_callback_url"></a> [oidc\_callback\_url](#output\_oidc\_callback\_url) | n/a |
 | <a name="output_s3_kms_key_arn"></a> [s3\_kms\_key\_arn](#output\_s3\_kms\_key\_arn) | n/a |
-<!-- END_TF_DOCS -->
+<!-- END_TF_DOCS -->

main.tf

@@ -232,6 +232,51 @@ data "aws_cloudfront_cache_policy" "managed_caching_disabled" {
   name = "Managed-CachingDisabled"
 }
 
+resource "aws_cloudfront_cache_policy" "oidc" {
+  count = length(var.oidc) == 0 ? 0 : 1
+
+  name        = "no-cache-oidc-policy"
+  comment     = "Disable caching for OIDC"
+  default_ttl = 0
+  min_ttl     = 0
+  max_ttl     = 0
+
+  parameters_in_cache_key_and_forwarded_to_origin {
+    cookies_config {
+      cookie_behavior = "none"
+    }
+
+    headers_config {
+      header_behavior = "none"
+    }
+
+    query_strings_config {
+      query_string_behavior = "none"
+    }
+
+    #enable_accept_encoding_gzip = true
+  }
+}
+
+resource "aws_cloudfront_origin_request_policy" "oidc" {
+  count = length(var.oidc) == 0 ? 0 : 1
+
+  name    = "oidc-origin-policy"
+  comment = "Forward all cookies and query strings for OIDC"
+
+  cookies_config {
+    cookie_behavior = "all"
+  }
+
+  headers_config {
+    header_behavior = "none"
+  }
+
+  query_strings_config {
+    query_string_behavior = "all"
+  }
+}
+
 resource "aws_cloudfront_distribution" "this" {
   comment = local.main_domain
 
@@ -243,6 +288,22 @@ resource "aws_cloudfront_distribution" "this" {
     origin_path              = var.origin_path
   }
 
+  dynamic "origin" {
+    for_each = length(var.oidc) == 0 ? [] : [1]
+
+    content {
+      domain_name = split("/", module.oidc.oidc_callback_url_base)[2]
+      origin_id   = "api-gateway-origin"
+
+      custom_origin_config {
+        http_port              = 80
+        https_port             = 443
+        origin_protocol_policy = "https-only"
+        origin_ssl_protocols   = ["TLSv1.2"]
+      }
+    }
+  }
+
   dynamic "origin" {
     for_each = var.proxy_paths
 
@@ -265,18 +326,26 @@ resource "aws_cloudfront_distribution" "this" {
   is_ipv6_enabled     = true
   default_root_object = "index.html"
 
-  custom_error_response {
-    error_caching_min_ttl = 3000
-    error_code            = 404
-    response_code         = var.override_status_code_404
-    response_page_path    = "/index.html"
-  }
+  dynamic "custom_error_response" {
+    for_each = length(var.oidc) > 0 ? [] : [
+      {
+        error_code         = 404
+        response_code      = var.override_status_code_404
+        response_page_path = "/index.html"
+      },
+      {
+        error_code         = 403
+        response_code      = var.override_status_code_403
+        response_page_path = "/index.html"
+      }
+    ]
 
-  custom_error_response {
-    error_caching_min_ttl = 3000
-    error_code            = 403
-    response_code         = var.override_status_code_403
-    response_page_path    = "/index.html"
+    content {
+      error_caching_min_ttl = 3000
+      error_code            = custom_error_response.value.error_code
+      response_code         = custom_error_response.value.response_code
+      response_page_path    = custom_error_response.value.response_page_path
+    }
   }
 
   default_cache_behavior {
@@ -289,7 +358,7 @@ resource "aws_cloudfront_distribution" "this" {
       query_string = false
 
       cookies {
-        forward = "none"
+        forward = length(var.oidc) == 0 ? "none" : "all"
       }
     }
 
@@ -298,6 +367,15 @@ resource "aws_cloudfront_distribution" "this" {
     default_ttl            = var.default_ttl
     max_ttl                = var.max_ttl
 
+    dynamic "lambda_function_association" {
+      for_each = module.oidc.lambda_edge_function_arn != null ? [module.oidc.lambda_edge_function_arn] : []
+      content {
+        event_type   = "viewer-request"
+        lambda_arn   = lambda_function_association.value
+        include_body = false
+      }
+    }
+
     dynamic "function_association" {
       for_each = concat(
         var.functions.viewer_request == null ? [] : [
@@ -321,6 +399,25 @@ resource "aws_cloudfront_distribution" "this" {
     }
   }
 
+  dynamic "ordered_cache_behavior" {
+    for_each = length(var.oidc) == 0 ? [] : [1]
+
+    content {
+      path_pattern     = "/callback*"
+      target_origin_id = "api-gateway-origin"
+
+      allowed_methods = ["GET", "HEAD", "OPTIONS"]
+      cached_methods  = ["GET", "HEAD"]
+
+      viewer_protocol_policy = "redirect-to-https"
+
+      compress = true
+
+      cache_policy_id          = aws_cloudfront_cache_policy.oidc[0].id
+      origin_request_policy_id = aws_cloudfront_origin_request_policy.oidc[0].id
+    }
+  }
+
   dynamic "ordered_cache_behavior" {
     for_each = var.proxy_paths
 

modules/gitlab/README.md

@@ -2,61 +2,20 @@
 
 This module will setup GitLab CI variables for static website deployment.
 
-## Requirements
-
-| Name                                                                     | Version       |
-| ------------------------------------------------------------------------ | ------------- |
-| <a name="requirement_terraform"></a> [terraform](#requirement_terraform) | >= 1.1, < 2.0 |
-| <a name="requirement_gitlab"></a> [gitlab](#requirement_gitlab)          | >= 15.7, < 18.0 |
-
-## Providers
-
-| Name                                                      | Version |
-| --------------------------------------------------------- | ------- |
-| <a name="provider_gitlab"></a> [gitlab](#provider_gitlab) | >= 15.7, < 18.0 |
-
-## Modules
-
-No modules.
-
-## Resources
-
-| Name                                                                                                                                                 | Type        |
-| ---------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- |
-| [gitlab_project_variable.cloudfront_distribution_id](https://registry.terraform.io/providers/gitlabhq/gitlab/latest/docs/resources/project_variable) | resource    |
-| [gitlab_project_variable.s3_bucket](https://registry.terraform.io/providers/gitlabhq/gitlab/latest/docs/resources/project_variable)                  | resource    |
-| [gitlab_project_variable.site_aws_access_key_id](https://registry.terraform.io/providers/gitlabhq/gitlab/latest/docs/resources/project_variable)     | resource    |
-| [gitlab_project_variable.site_aws_secret_access_key](https://registry.terraform.io/providers/gitlabhq/gitlab/latest/docs/resources/project_variable) | resource    |
-| [gitlab_project.this](https://registry.terraform.io/providers/gitlabhq/gitlab/latest/docs/data-sources/project)                                      | data source |
-
-## Inputs
-
-| Name                                                                                                                        | Description | Type     | Default | Required |
-| --------------------------------------------------------------------------------------------------------------------------- | ----------- | -------- | ------- | :------: |
-| <a name="input_aws_access_key_id"></a> [aws_access_key_id](#input_aws_access_key_id)                                        | n/a         | `string` | n/a     |   yes    |
-| <a name="input_aws_cloudfront_distribution_id"></a> [aws_cloudfront_distribution_id](#input_aws_cloudfront_distribution_id) | n/a         | `string` | n/a     |   yes    |
-| <a name="input_aws_s3_bucket_name"></a> [aws_s3_bucket_name](#input_aws_s3_bucket_name)                                     | n/a         | `string` | n/a     |   yes    |
-| <a name="input_aws_secret_access_key"></a> [aws_secret_access_key](#input_aws_secret_access_key)                            | n/a         | `string` | n/a     |   yes    |
-| <a name="input_gitlab_environment"></a> [gitlab_environment](#input_gitlab_environment)                                     | n/a         | `string` | `"*"`   |    no    |
-| <a name="input_gitlab_project_id"></a> [gitlab_project_id](#input_gitlab_project_id)                                        | n/a         | `string` | n/a     |   yes    |
-
-## Outputs
-
-No outputs.
 
 <!-- BEGIN_TF_DOCS -->
 ## Requirements
 
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5, < 2.0 |
-| <a name="requirement_gitlab"></a> [gitlab](#requirement\_gitlab) | >= 15.7, < 18.0 |
+| <a name="requirement_gitlab"></a> [gitlab](#requirement\_gitlab) | >= 15.7, < 19.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_gitlab"></a> [gitlab](#provider\_gitlab) | >= 15.7, < 18.0 |
+| <a name="provider_gitlab"></a> [gitlab](#provider\_gitlab) | >= 15.7, < 19.0 |
 
 ## Modules
 
@@ -95,4 +54,4 @@ No modules.
 ## Outputs
 
 No outputs.
-<!-- END_TF_DOCS -->
+<!-- END_TF_DOCS -->

modules/gitlab/main.tf

@@ -2,7 +2,7 @@ locals {
   cicd_variable_flat_list = flatten([
     for project_id in var.gitlab_project_ids : [
       for variable in var.extra_gitlab_cicd_variables : {
-        id        = "${project_id}-${variable.key}"
+        id         = "${project_id}-${variable.key}"
         project_id = project_id
         variable   = variable
       }